The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap.

Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script:

Obtain SQL Information – Nmap

So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack.

Brute Force Weak MS-SQL Accounts – Nmap

As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command:

However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers.

Check For Null passwords on SA accounts – Nmap

Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments:

Discover which user has access to which db – Nmap

We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables.

List Tables – Nmap

In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below:

Run OS command via xp_cmdshell – Nmap

Run net users via xp_cmdshell – Nmap

Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper.

Dump MS-SQL hashes – Nmap

In this case we didn’t have any hashes because there was only one account on the database the sa which has null password.